On Splunk:
nano /opt/splunk/etc/system/default/inputs.conf
Example install Splunk:
rpm -Uvh splunk-5.0.2-149561-linux-2.6-x86_64.rpm
Install ossec module into splunk
[udp://192.168.10.109:10002] # OSSEC server IP
disabled = false
sourcetype = ossec
disabled = false
sourcetype = ossec
OR
splunk->manager->data inputs->udp->new
// Splunk DATA Clean:
splunk->manager->data inputs->udp->new
udp port – 10002
set host – ip
source type – manual
source type – ossec
save
Make sure 10002 is enabled
/opt/splunk/bin/splunk restart
On OSSEC:
Example install:
set host – ip
source type – manual
source type – ossec
save
Make sure 10002 is enabled
/opt/splunk/bin/splunk restart
On OSSEC:
Example install:
:~> wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz
:~> gunzip -d ossec-hids-2.6.tar.gz
:~> tar -xvf ossec-hids-2.6.tar
:~> cd ossec-hids-2.6
:~> sudo ./install.sh
:~> gunzip -d ossec-hids-2.6.tar.gz
:~> tar -xvf ossec-hids-2.6.tar
:~> cd ossec-hids-2.6
:~> sudo ./install.sh
vim /var/ossec/etc/ossec.conf
add:
<syslog_output>
<server>172.25.3.3</server>
<port>10002</port>
</syslog_output>
under global config
#/var/ossec/bin/ossec-control enable client-syslog
add:
<syslog_output>
<server>172.25.3.3</server>
<port>10002</port>
</syslog_output>
under global config
#/var/ossec/bin/ossec-control enable client-syslog
#/var/ossec/bin/ossec-control restart OR service ossec restart
// Splunk DATA Clean:
# service splunk stop
# /opt/splunk/bin
# ./splunk clean eventdata
# service splunk start
# /opt/splunk/bin
# ./splunk clean eventdata
# service splunk start
